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Status of Claims 

1 . This action is in reply to tlie Amendments filed on 29 July 2008. 

2. Claims 1, 4, 5, 7-1 1, 15, and 18-21 have been amended. 

3. Claims 1-22 are currently pending and have been examined. 

Response to Amendments 

4. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office 
action. 

5. The objection to the drawings in the previous office action is withdrawn in light of Applicant's 
amendments to the drawings. Examiner has entered the amended drawings. 

6. The objection to the specification in the previous office action is withdrawn in light of Applicant's 
arguments and amendments to the specification. Examiner has entered the amended 
specification. 

7. The objection to claims 14, 16 and 17 are withdrawn in light of Applicant's arguments. 

Response to Arguments 

8. Applicant's arguments received on 5 September 2008 (filed 29 July 2008) have been fully 
considered but are moot in view of the new ground(s) of rejection. However, in an effort to 
elucidate the applicability of the selected prior art, the Examiner notes that the very nature of the 
claims presented are applications of what are old and well-known management techniques that 
facilitate effective and efficient corporate governance and mitigate unnecessary duplication of 
effort. Examiner notes that additional prior art obtained in the initial search addresses the 
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amendments and Applicant sliould consult those specific claim elements below. 



Claim Objections 

9. Claim 11 is objected to because of the following informalities: The amendment to the claim has 
created a grammatically incorrect sentence where the phrase "the individually summarizing 
comprising" is confusing and grammatically problematic. Appropriate correction is required. 

Ciaim Rejections - 35 USC § 103 

10. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 

rejections set forth in this Office action: 

A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
sl<ill in the art to which said subject matter pertains. Patentability shall not be negatived 
by the manner in which the invention was made. 

11. Claims 1-22 are rejected under 35 U.S.C. 103(a) as being unpatentable over Williams 
{Information Security Governance) in view of Holmstrom {The State of U.S. Corporate 
Governance: ...) and further in view of TBR {The Business Roundtable: Principles of Corporate 
Governance). 

Claim 1: 

Williams teaches the following limitations as shown. 

• a plurality of governance databases, each database maintained by a respective 
governance source (Williams, in at least page 62 states: "Data and information are 
disclosed onlv to those who have a right to know (confidentiality); • Data and 
information are protected against unauthorised modification (integrity); [...] The 
relative priority and significance of availability, confidentiality and integrity vary 
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according to tlie data witiiin tlie information system and tlie business context in which 
the data are used ." (emphasis added) where 'only to those...' corresponds to a 
respective governance source and 'unauthorised modification' and 'business 
context...' corresponds to a database that is maintained since it is 'used', and ipso 
facto maintained.); 

• at least one or more communication networiis interconnecting tlie plurality of 
governance databases (Williams, in at least page 62 repeatedly refers to 
communications networks as in "The networked economy..." and on page 63 "other 
Internet-based threats...". Furthermore, Williams clearly refers to the infrastructure 
that supports such communications on page 66: "Strengthen all security and critical 
server and communications platforms :" and on page 62: "The objective of information 
security is: 'protecting the interests of those relying on information, and the systems 
and communications that deliver the information, from harm resulting from failures of 
availability, confidentiality and integrity.'" (emphasis added) where 'relying on 
information...' corresponds to the plurality of governance databases.); and 

• an integrated governance team reviewing data within the plurality of governance 
databases to identify significant issues for the enterprise in the governance areas 
(Williams, in at least page 60 states: "Even though it is delegated to management, 
the Board is ultimately responsible for this system of internal control '." (emphasis 
added) and on page 70: "IT security is a joint responsibility of business and ]T 
management and integrated with corporate business objectives ." (emphasis added) 
where the 'Board' corresponds to an integrated governance team, and 'system of 
internal control' corresponds to governance areas since, as indicated, the 'board' is 
ultimately responsible for governance. 'IT management' also corresponds to an 
integrated governance team and 'integrated with ..." corresponds to governance 
team reviewing data since IT management must, ipso facto, review data to mal<e 
informed decisions. Also, on page 64 it is stated: "Both the Board and executive 
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management need to take appropriate actions to acliieve tlieir security governance 
objectives. Take Board Level Action • Become informed about information security;" 
(emphasis added) wliere 'become informed' also corresponds to governance team 
reviewing data. Note also that on page 62, Williams further states: "The relative 
priority and significance of availability, confidentiality and integrity vary according to 
the data within the information system and the business context in which the data are 
used." (emphasis added) where 'significance of...', as indicated, is antecedent to a 
set of significant issues...), 

Williams does not specifically describe and/or disclose the following limitation, but Holmstrom, in 

an analogous art, does as shown. 

• a plurality of governance sources monitoring respective governance areas within a 
business enterprise (Holmstrom, in at least page 21 refers to "the audit committee" 
and on page 24 refers to the "compensations committees...") 

Holmstrom describes a number of governance areas in a typical enterprise. Williams further 
elaborates on methods for instituting effective information security governance in the typical 
enterprise. Both of these references recite a number of elements that are important to 
corporate governance in the information age and document, to one degree or another, 
actions and decisions and methods that corporate management teams and boards of 
directors frequently confront in their efforts to effectively manage and control an enterprise. 
Therefore, it would have been obvious to one with ordinary skill in the art at the time of the 
invention to combine the teachings of Holmstrom and Williams because together they 
delineate important elements for effective corporate governance. 

Neither Williams nor Holmstrom specifically teach the following limitations, but TBR, in an 
analogous art does as shown. 

• ttie plurality of governance sources including an audit group (TBR, p. 16 "Audit 
Committee"), a security group (TBR, p. 6 refers to "cyber security" where the board 
designates management responsibility, hence a group of people assigned), an ethics 
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group (TBR, p. 18 regarding "anotlier committee" tliat ensures ethical compliance), a 
compliance group (TBR, p. 19 reference to "compliance officers"), and a business 
controls group (TBR, p. 18 reference to "Internal controls"); 

• the integrated governance team including representatives from each of the plurality of 
governance sources (TBR, p. 14 "Virtually all boards of directors of large, publicly 
owned corporations operate using committees to assist them. A committee structure 
permits the board to address key areas in more depth than may be possible in a full 
board meeting. • Decisions about committee membership should be made by the full 
board, based on recommendations from a committee responsible for corporate 
governance issues . The board should designate the chairmen of the various 
committees, if this is not done by the committees themselves."), wherein each 
representative of a governance source is responsible for identifying and summarizing 
relevant data in his or her governance area across a plurality of business units that 
contain reports of enterprise non-compliance within the business enterprise using a 
common analytical process (TBR p. 6 " Advising management on significant issues 
facing the corporation. Directors can offer management a wealth of experience and a 
wide range of perspectives. They provide advice and counsel to management in 
formal board and committee meetings and are available for informal consultation with 
the CEO and senior management. 

• □ Reviewing and approving significant corporate actions. As required by state 
corporate law, the board reviews and approves specific corporate actions, such as 
the election of executive officers, declaration of dividends and appropriate major 
transactions. The board and senior management should have a clear understanding 
of what level or types of decisions require specific board approval... It is the 
responsibility of the board and its corporate governance committee to nominate 
directors and committee members and to oversee the composition, structure, 
practices and evaluation of the board and its committees ." (emphasis added) where 
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references to 'committee' and 'corporate governance committee' corresponds to 
integrated governance team. Neither Williams, Holmstrom nor TBR specifically teach 
that such team is comprised of representatives from each governance source, but 
Examiner takes Official Notice that it is old and well-known as well as common 
place in the organizational and management sciences that corporate governance and 
members of committees are typically comprised of representatives or members of 
what corresponds to governance sources or areas of corporate responsibility or 
departments. Also, TBR, p. ii refers to "within a framework of laws and regulations" 
which corresponds to a common analytical process), 
• wherein after the integrated governance team identifies a significant issue in a 
governance area (see TBR p. 6 as cited above regarding "significant issues facing 
the corporation"), a business unit is attempted to be determined to take ownership in 
resolving the issue (TBR, p. 26: "Many board responsibilities may be delegated to 
committees to permit directors to address key areas in more depth ." (emphasis 
added) where the emphasized text corresponds to a business unit is attempted... to 
take ownership...), wherein the integrated governance team takes ownership of the 
issue when the issue is new and has not been previously assigned to a business unit 
or when the issue occurs across more than one business unit (TBR, p. 26 with 
reference to "plenary power to its committees" and on p.2 reference to "the authority 
and responsibility for managing..."). 
Williams, Holmstrom and TBR all teach aspects of corporate/enterprise governance involving the 
identification of key issues, task assignments to various committees and typical structures 
associated with efficient delegation of tasks and personnel to effect efficient and responsive 
governance. These references therefore describe what amounts to widespread concepts and 
what is old and well-known in the modern, data-driven enterprise. The basic principles outlined in 
these references and obvious variations thereof provide a framework for efficient "governance 
practices" that "advance the ability of ... corporations to compete, create jobs and generate 
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economic growth." The impetus and motivation to achieve effective corporate governance using 
specialists and division of labor and expertise is old and well-known and the technical capabilities 
of combining the various elements of the aforementioned sources existed at the time of the 
instant invention and the effects of such combination was predictable. 
Claim 2: 

Williams/Holmstrom describe and/or disclose the limitations of claim 1, as shown above. 
Williams, as shown, further describes and/or discloses the following limitations. 

• the integrated governance team further determines a plan, at an enterprise level, to 
address the significant issue across the enterprise (Williams, in at least page 65-6 
states: "At the Executive Management Level [...] Establish clear, pragmatic 
enterprise and technology continuity programmes , continually tested and l<ept up to 
date" (emphasis added) where 'executive management...' corresponds to the 
integrated governance team, 'Establish... programmes' corresponds to determines a 
plan and where 'pragmatic enterprise... technology continuity' corresponds to the 
significant issue across the enterprise since technology continuity is an example of a 
significant issue.). 

Claim 3: 

Williams/Holmstrom describe and/or disclose the limitations of claim 1, as shown above. 
Williams, as shown, further describes and/or discloses the following limitations. 

• a database of the integrated governance team for storing a summary of governance 
information from the plurality of governance databases (Williams, in at least page 70, 
box 5 states: "IT security is a joint responsibility of business and IT management [...] 
Information on new threats and vulnerabilities is systematically collected and 
analysed , and adequate mitigating controls are promptly communicated and 
implemented." (emphasis added) where 'IT management' corresponds to the 
integrated governance team, 'information on...' corresponds to a summary of 
governance information and 'systematically collected...' corresponds to a database 
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...for storing .. .since the information is stored on a database in an environment 
associated with an 'optimized' IT infrastructure.). 

Claims 4 and 10: 

Although claims 4 and 10 are worded and/or structured slightly differently, they have the same 
scope and so are addressed together. Williams/Holmstrom describe and/or disclose the 
limitations of claims 1 as shown above and Williams describes and/or discloses the limitations of 
claim 5, as shown in the §1 02(b) rejections above. Williams, as shown, further describes and/or 
discloses the following limitations. 

■ the plurality of governance sources further include a legal department (Williams 
in at least page 63 teaches management control over legal matters, and on p. 67 
states: "There is senior management support to ensure that employees perform 
their duties in an ethical and secure manner" (emphasis added) where 'senior 
management support' corresponds to a governance source that involve 'ethical' 
and 'secur[ity]' concerns.) 
Neither Williams nor Holmstrom specifically teach that a governance source is a legal 
department, but TBR does on p.33 and describes and/or discloses "effective legal 
compliance programs" where such programs are maintained by a committee or group, 
hence corresponds to a legal department. Moreover, Examiner takes Official Notice 
that it is old and well-known as well as common place in the corporate management arts 
that most large, modern corporate structures contain a group or department commonly 
denominated as a "legal" or "law" or "legal affairs" department.). 

Williams, Holmstrom and TBR all teach aspects of corporate/enterprise 
governance involving the identification of key issues, task assignments to various 
committees and typical structures associated with efficient delegation of tasks and 
personnel to effect efficient and responsive governance. These references therefore 
describe what amounts to widespread concepts and what is old and well-known in the 
modern, data-driven enterprise. The basic principles outlined in these references and 
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obvious variations thereof provide a framework for efficient "governance practices" that 
"advance the ability of ... corporations to compete, create jobs and generate economic 
growth." The impetus and motivation to achieve effective corporate governance using 
specialists and division of labor and expertise is old and well-known and the technical 
capabilities of combining the various elements of the aforementioned sources existed at 
the time of the instant invention and the effects of such combination was predictable. 

Claim 5: 

Williams, as shown, describes and/or discloses the following limitations. 

• individually summarizing data from a plurality of governance databases located on a 
business network of a business enterprise (Williams, in at least page 66 states: "The 
security function has the means and ability to detect, record, analyse, report and act 
upon security incidents when they do occur, while minimising the probability of 
occurrence by applying intrusion testing and active monitoring " (emphasis added) 
where 'report' and 'active monitoring' corresponds to individually summarizing data. 
Also, on page 69, box 4: "Security processes are coordinated with the overall 
organization security function and reporting is linked to business objectives" 
(emphasis added) where the 'reporting' is associated with the 'overall organization', 
hence from a plurality of governance databases located on...) 

• wherein the plurality of governance databases is maintained by a plurality of 
governance departments, the plurality of governance departments including an audit 
department, a security department, an ethics department, a compliance department, 
and a business controls department (See rejection of claim 1 regarding the various 
governance sources); 

• reviewing the data at an enterprise level by an integrated governance team (see the 
rejection of claim 1) to identify one or more significant issues to the business 
enterprise (Williams, in at least page 65, col. 1 , top, states: "Conduct periodic reviews 
and tests" (emphasis added) which is done, ipso facto to identify one or 
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more .. .issues. Also, on page 64, Williams also describes this limitation: "Establisli 
monitoring measures to detect and ensure correction of security breaches, so that all 
actual and suspected breaches are promptly identified , investigated and acted upon, 
and to ensure ongoing compliance with policy, standards and minimum acceptable 
security practices" (emphasis added) where 'monitoring measures...' corresponds to 
reviewing the data, 'suspected breaches are ... identified' corresponds to to identify 
and where the 'breaches' are a significant issue to the business enterprise.); 

• determining a plan, at the enterprise level, to address the significant issue across the 
business enterprise (Williams, in at least page 70, box 5 states: "Security 
requirements are clearly defined , optimised and included in a yerified security plan . 
Functions are integrated with applications at the design stage and end users are 
increasingly accountable for managing security. IT security reporting provides early 
warning of changing and emerging risk , using automated active monitoring 
approaches for critical systems. Incidents are promptly addressed with formalised 
incident response procedures supported by automated tools." (emphasis added) 
where 'clearly defined' and 'security plan' and 'formalised incident... procedures' 
corresponds to determining a plan and 'changing and emerging risk' corresponds to 
the significant issue where all these elements are associated with an 'enterprise' 
(see, e.g., page 60 and on for frequent references to the enterprise), hence 
corresponds to at the enterprise level.); and 

• communicating the plan to each operational unit within the business enterprise 
(Williams, in at least page 64, col. 2 states: "Take Management Level Action • Write 
the security policy , with business input (Policy Development); • Ensure that individual 
roles , responsibilities and authority are clearly communicated and understood by all." 
(emphasis added) where 'the security policy' corresponds to the plan, 
'ensure... individual roles...' corresponds to each operational unit within... and clearly 
communicated' corresponds with communicating the plan.) 
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Neither Williams nor Holmstrom specifically teach the following limitations, but TBR, in an 
analogous art does as shown. 

• wherein the integrated governance team includes representatives from each of the 
plurality of governance departments (Examiner takes Official Notice that it is old and 
well-known as well as common place in the organizational and management 
sciences that corporate governance and members of committees are typically 
comprised of representatives or members of what corresponds to governance 
sources or areas of corporate responsibility or departments.), wherein each 
representative of a governance department is responsible for identifying and 
summarizing relevant data in his or her governance area across a plurality of 
business units that contain reports of enterprise non-compliance within the business 
enterprise using a common analytical process, wherein after the integrated 
governance team identifies a significant issue in a governance area, a business unit 
is attempted to be determined to take ownership in resolving the issue, wherein the 
integrated governance team takes ownership of the issue when the issue is new and 
has not been previously assigned to a business unit or when the issue occurs across 
more than one business unit (see the rejection of claim 1 ). 
Williams, Holmstrom and TBR all teach aspects of corporate/enterprise governance involving 
the identification of key issues, task assignments to various committees and typical structures 
associated with efficient delegation of tasks and personnel to effect efficient and responsive 
governance. These references therefore describe what amounts to widespread concepts 
and what is old and well-known in the modern, data-driven enterprise. The basic principles 
outlined in these references and obvious variations thereof provide a framework for efficient 
"governance practices" that "advance the ability of ... corporations to compete, create jobs 
and generate economic growth." The impetus and motivation to achieve effective corporate 
governance using specialists and division of labor and expertise is old and well-known and 
the technical capabilities of combining the various elements of the aforementioned sources 
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existed at tlie time of the instant invention and the effects of such combination was 
predictable. 

Claim 6: 

Williams describes and/or discloses the limitations of claim 5 as shown above. Williams further 
describes and/or discloses the following limitations. 

• the plan involves developing business controls for addressing the significant issue 
(Williams, in at least page 64, col. 2 states: " Develop a security and control 
framework that consists of standards, measures, practices, and procedures [...]" 
(emphasis added) where 'Develop... control framework' corresponds to developing 
business controls and on page 70, box 5 refers to "adequate mitigating controls are 
promptly communicated and implemented." (emphasis added) where 'mitigating 
controls' corresponds to controls that mitigate some detrimental effects associated 
with the significant issue, hence corresponds to for addressing the significant...). 

Claim 7: 

Williams describes and/or discloses the limitations of claim 5 as shown above. Williams further 
describes and/or discloses the following limitations. 

• implementing the plan within each operational unit of the business enterprise 
(Williams, in at least page 62, col. 2 states: " Implementing the solution on a timely 
basis, then maintaining it" (emphasis added) where 'implementing the solution' 
corresponds to implementing the plan. On page 63, col. 1, bottom, Williams further 
states: "[F]or information security to be properly addressed, greater involvement of 
boards of directors , executive management and business process owners is 
required. For information security to be properlv implemented , skilled resources such 
as information systems auditors , security professionals and technology providers 
need to be utilized. All interested parties should be involved in the process [...]" 
(emphasis added) where the emphasized text corresponds to each operational unit 
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so that the plan can be 'properly implemented' hence corresponds to 
implementing...). 

Claim 8: 

Williams describes and/or discloses the limitations of claim 7 as shown above. Williams further 
describes and/or discloses the following limitations. 

• tracking the progress of the plan in addressing the significant issue within each 
operational unit (Williams, in at least page 65, col. 2 states: "Measurement process 
with feedback on progress made " (emphasis added) and on page 66, col. 1: 
"Conduct information security audits based on a clear process and accountabilities 
with management tracking closure of recommendations." (emphasis added) where 
'management tracking...' and 'progress made' corresponds to tracking the progress 
of... and pertains to the significant issue since such security audits are used to 
identify security breaches which are a species of the significant issue.). 

Claim 9: 

Williams describes and/or discloses the limitations of claim 5 as shown above. Williams further 
describes and/or discloses the following limitations. 

• analyzing, at the enterprise level, each significant issue to ascertain a respective 
cause of the significant issue (Williams, in at least page 70, box 5 states: "Intrusion 
testing, root cause analysis of security incidents and proactive identification of risk is 
the basis for continuous improvements. Security processes and technologies 
integrated organization wide ." (emphasis added) where 'root cause analysis' 
corresponds to analyzing ...to ascertain a respective cause... and 'organization wide' 
corresponds to at the enterprise level. Finally, note that 'security incidents' 
corresponds to each significant issue... which is further delineated in box 5 of the 
reference.). 
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Williams describes and/or discloses the limitations of claim 5 as shown above. Williams further 
describes and/or discloses the following limitations. 

• electronically accessing each governance database containing governance data for 
operational units of the enterprise (Williams, in at least page 61, col. 2 states: "In this 
context, "valuable assets" are the data or information recorded on, processed by, 
stored in, shared by, transmitted or retrieved from an electronic medium ." (emphasis 
added) where 'valuable assets are corresponds to governance data for 
operational units of... and 'retrieved' corresponds to accessing and 'electronic 
medium' corresponds to electronically accessing. Note also that on page 63, col. 1 , 
Williams states: "Responsibility for governing and managing the improvement of 
security has consequently too often been limited to operational and technical 
managers . However, for information security to be properly addressed, greater 
involvement of boards of directors, executive management and business process 
owners is required ." (emphasis added) where the emphasized text collectively 
corresponds to operational units of the enterprise.); and 

• utilizing the representative of the governance department associated with a particular 
governance database to complete a template summarizing the governance data 
contained in the particular governance database for the operational units (Williams, in 
at least page 66, col. 1 states: " Develop clear policies and detailed guidelines , 
supported by a repetitive and assertive communications plan" (emphasis added) 
where 'develop... detailed guidelines' corresponds to complete a template 
summarizing... Note that Williams on page 66, col. 2 states: " Management and staff 
have a common understanding of security requirements, vulnerabilities and threats, 
and understand and accept their own security responsibilities ." (emphasis added) 
where 'management and staff and 'understanding' together correspond to utilizing a 
person familiar with .. .and further implies that the 'detailed guidelines' corresponds to 
governance data for the operational units since 'staff and 'responsibilities' together 
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imply a plurality of such units. Also, the act of developing clear policies, as shown 
above, but ipso facto be effected by a person which corresponds to a 
representative...). 

Claim 12: 

Williams/Holmstrom describe and/or disclose the limitations of claim 11 as shown above. 
Williams further describes and/or discloses the following limitations. 

• ttie template includes areas for providing details concerning the significant issue and 
the operational units affected by the significant issue (Williams, in at least page 66, 
col. 1 states: "Develop clear policies and detailed guidelines , supported by a 
repetitive and assertive communications plan" (emphasis added) where 'detailed 
guidelines' corresponds to the template includes areas for providing details... See 
also the rejection of claim 1 1 above with respect to the operational units affected by. 
Also, 'clear policies' corresponds to rules associated with important matters that 
affect various enterprise entities, hence corresponds to affected by the significant 
issue.) 

Claim 13: 

Williams describes and/or discloses the limitations of claim 5 as shown above. Williams further 
describes and/or discloses the following limitations. 

• the method is performed at periodic intervals (Williams, in at least page 64 states 
"Take Management Level Action" and on page 65: "Conduct periodic reviews and 
tests"). 

Claim 14: 

Williams describes and/or discloses the limitations of claim 5 as shown above. Williams further 
describes and/or discloses the following limitations. 

• significant issues include issues that are new and issues that occur across multiple 
operational units (Williams, in at least page 63, col. 1 states: "This means that there 
are new or re-focused risk areas that could have a significant impact upon critical 
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business operations sucli as: [ ] Growing potential for misuse and abuse of 
information systems affecting privacy and etiiical values" (emphasis added) where 
'new' and 'significant impact' correspond to significant issues ...ttiat are new, 'abuse 
of information systems' are significant issues ...ttiat occur across multiple operational 
units since issues affecting information systems can have enterprise-wide effects.). 

Claim 15: 

Williams describes and/or discloses the limitations of claim 5 as shown above. Williams further 
describes and/or discloses the following limitations. 

• utilizing collective l<nowledge within the business enterprise to identify the one or 
more significant issues (Williams, in at least page 66, col. 1 states: " Develop what-if 
scenarios on information security and risk, leveraqinq the knowledge of the 
specialists " (emphasis added) where 'develop...' corresponds to to identify 
...significant issues, and 'leveraging the knowledge ...' corresponds to utilizing 
collective l<nowledge within the business enterprise...). 

Claim 16: 

Williams describes and/or discloses the limitations of claim 15 as shown above. Williams further 
describes and/or discloses the following limitations. 

• the collective l<nowledge within the business enterprise includes an understanding of 
current business practices of the operational units (Williams, in at least page 64, col. 
2 states: "Ensure that individual roles, responsibilities and authority are clearly 
communicated and understood by all ." (emphasis added) where 'understood by all' 
corresponds to the collective knowledge within the business enterprise .. .On page 62, 
col. 2, Williams states: "Awareness, Training and Education — Creating awareness of 
the need to protect information, providing training in the skills needed to operate 
information systems securely, and offering education in security measures and 
practices ." (emphasis added) where 'creating awareness' also corresponds to 
collective knowledge and 'providing training...' in conjunction with 'measures and 
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practices' and 'understood by all' corresponds to understanding of current business 
practices of the operational units.). 

Claim 17: 

Williams describes and/or discloses the limitations of claim 15 as shown above. Williams further 
describes and/or discloses the following limitations. 

• ttie collective knowledge within the business enterprise includes an understanding of 
recent legal matters concerning the enterprise (Williams, in at least page 63, col. 2 
states: "As news of break-ins and losses related to hackers, computer viruses and 
other Internet-based threats grows more frequent, enterprise stakeholders are 
becoming concerned about the risks, regulatory requirements and investments 
associated with information security." (emphasis added) where 'news of, 'regulatory 
requirements' and 'enterprise stakeholders' corresponds to recent legal matters 
concerning the enterprise. Also, 'becoming concerned' corresponds to an 
understanding of as they pertain to 'regulatory requirements', hence recent legal 
matters.). 

Claim 18: 

Williams describes and/or discloses the limitations of claim 5 as shown above. Williams further 
describes and/or discloses the following limitations. 

• reviewing the data at the enterprise level to identify one or more issues that occur 
within a domain of a single operational unit (See the rejection of the correspondent 
limitation in claim 5. Further note that Williams delineates these and similar method 
steps to involve both "Board Level Action" and "Management Level Action" (see page 
64) hence corresponds to data at the enterprise level further to identify one ...issue[] 
within... a single operational unit where 'board level' review encompasses a single 
...unit to wit on page 63, col. 1 Williams states: "However, for information security to 
be properly addressed, greater involvement of boards of directors, executive 
management and business process owners is required. For information security to be 
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properly implemented, skilled resources such as information systems auditors , 
security professionals and technology providers need to be utilized. All interested 
parties should be involved in the process - but the buck stops at Board level. 
Governance is all about senior directors understanding the risks and the 
opportunities and gaining positive assurance that these are being properly and 
continuously managed ." (emphasis added) where the emphasized text corresponds 
to various operational units for which issues are identified.); 

• determining a strategy, at ttie single operational unit level, to address the one or 
more issues that occur within the domain of the single operational unit (See the 
rejection of the correspondent limitation in claim 5 and the rejection of the preceding 
limitation.); 

• communicating the strategy to each operational unit within the enterprise (See the 
rejection of the correspondent limitation in claim 5 and the rejection of the preceding 

limitation.); and 

• monitoring the progress of the strategy, at an enterprise level (Williams, in at least 
page 65, col.2 states: "Require that the head of security report progress and issues to 
the audit committee or direct to the Board itself (emphasis added) where 'report 
progress' corresponds to monitoring the progress of the strategy and 'to the Board 
itself corresponds to at an enterprise level.). 

Claim 19: 

Williams, as shown, describes and/or discloses the following limitations. 

• forming an integrated governance team to identify problematic issues in designated 
governance areas across a business enterprise, the integrated governance team 
comprising members having knowledge of each of the designated governance areas 
and of operational units within tiie enterprise (Williams, in at least page 65, col. 2 
states: "• Establish ownership for security and continuity with enterprise managers; • 
Create an audit committee that clearly understands its role in information security and 
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how it will work with management and auditors" (emphasis added) where establish 
ownership' in conjunction with 'create an audit committee' corresponds to forming an 
integrated governance team to identify problematic issues... since an audit committee 
is but one example of a group that seeks to identify problems. As this is done at the 
"board level" (see page 65) it pertains to issues... across a business enterprise. 
Moreover, on page 65 col. 1 Williams states: "Properly prioritised and distributed 
effort to areas with greatest impact and business benefit" (emphasis added) and on 
page 60, col. 2 states: "This has recently been issued by the IT Governance Institute, 
a body established on a global basis to establish thought leadership and to 
promulgate best practices in all areas of the governance of IT." (emphasis added) 
where 'areas of the governance' corresponds to designated governance areas.); 

• compiling data from a plurality of databases that contain information regarding the 
governance areas for a plurality of the operational units in the enterprise (Williams, 
page 70, box 5 states: "Information on new threats and vulnerabilities is 
systematically collected and analysed, and adequate mitigating controls are promptly 
communicated and implemented." (emphasis added) where 'new threats...' 
corresponds to information regarding governance areas and 'systematically collected' 
corresponds to compiling data from. Also note that on page 61, col. 2, Williams 
refers to "data or information recorded on ...an electronic medium" hence 
corresponds to such data as from a plurality of databases.); 

• integrating together data from the plurality of databases to form a comprehensive 
summary of governance information for the enterprise (See the rejection of the 
previous limitation. Also note that in conjunction with the previous rejection, Williams 
on page 65 states: Ensure that internal and external auditors agree with the audit 
committee and management how information security should be covered in the audit : 
• Require that the head of security report progress and issues to the audit committee 
or direct to the Board itself;" and on page 66 states: "Develop clear policies and 
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detailed guidelines , supported by a repetitive and assertive communications plan" 
(emphasis added) where reference to 'audit' corresponds to integrating togettier data 
from... and further, 'report' and 'detailed guidelines' corresponds to a compretiensive 
summary of governance ...); 

• analyzing, as a team, the comprehensive summary to identify one or more significant 
issues within the governance areas for the enterprise (Williams, in at least page 64, 
col.2, states: " Analyse risks , or identify industry practice for due care, analyse 
vulnerabilities " (emphasis added) where 'analyse...' corresponds to analyzing, as a 
team since this analysis is done within the scope of "Management Level Action" and 
where such is a team. Also, 'identify industry practice' and 'vulnerabilities' 
corresponds to a identify [a] significant issue[ ] within...); 

• utilizing collective knowledge of the integrated governance team to uncover the 
fundamental cause of the respective significant issue (Williams, in at least page 70, 
box 5 states: " Information on new threats and vulnerabilities is systematically 
collected and analysed , and adequate mitigating controls are promptly communicated 
and implemented. Intrusion testing, root cause analysis of security incidents and 
proactive identification of risk is the basis for continuous improvements. Security 
processes and technologies integrated organization wide ." (emphasis added) where 
'information on ...' and 'integrated organization wide' corresponds to utilizing 
collective l<nowledge of the integrated ... and 'root cause analysis' corresponds to to 
uncover the fundamental cause... and where 'threats and vulnerabilities' corresponds 
to species of a respective significant issue.); and 

• forming, as a team, a comprehensive plan to address the fundamental cause of the 
respective significant issue across the enterprise (Williams, in at least page 65, col. 2 
states: " Create an audit committee that clearly understands its role in information 
security and how it will work with management and auditors; [...] • Develop crisis 
management practices , involving executive management and the board of directors 
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from pre-agreed thresholds onwards." (emphasis added) where in respect of the 
rejection of the previous limitation, 'create an audit committee' corresponds to 
forming, as a team, 'develop crisis management practices' corresponds to a 
comprehensive plan to address... fioie that it is inherent for a group that engages in 
'crisis management' to address ttie fundamental cause of problems and issues 
confronting said group.) 
Neither Williams nor Holmstrom specifically teach the following limitations, but TBR, in an 
analogous art does as shown. 

• wfierein tfie integrated governance team includes representatives from each of the 
plurality of governance departments for the business enterprise, wherein each 
representative of a governance department is responsible for identifying and 
summarizing relevant data in his or her governance area across a plurality of 
business units that contain reports of enterprise non-compliance within the business 
enterprise using a common analytical process, wherein after the integrated 
governance team identifies a problematic issue in a designated governance area, a 
business unit is attempted to be determined to take ownership in resolving the issue, 
wherein the integrated governance team takes ownership of the issue when the issue 
is new and has not been previously assigned to a business unit or when the issue 
occurs across more than one business unit (see the rejection of claim 1 above). 
Williams, Holmstrom and TBR all teach aspects of corporate/enterprise governance involving the 
identification of key issues, task assignments to various committees and typical structures 
associated with efficient delegation of tasks and personnel to effect efficient and responsive 
governance. These references therefore describe what amounts to widespread concepts and 
what is old and well-known in the modern, data-driven enterprise. The basic principles outlined in 
these references and obvious variations thereof provide a framework for efficient "governance 
practices" that "advance the ability of ... corporations to compete, create jobs and generate 
economic growth." The impetus and motivation to achieve effective corporate governance using 
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specialists and division of labor and expertise is old and well-known and the technical capabilities 
of combining the various elements of the aforementioned sources existed at the time of the 
instant invention and the effects of such combination was predictable. 
Claim 20: 

Williams, as shown, describes and/or discloses the limitations of claim 19 as shown above. 
Williams further describes and/or discloses the following limitations. 

• the compiling step is performed by particular members familiar with the information 
contained in the databases (Williams, in at least page 70, box 5 states: "• IT security 
is a joint responsibility of business and IT management and integrated with corporate 
business objectives. [...] Information on new threats and vulnerabilities is 
systematically collected and analysed , and adequate mitigating controls are promptly 
communicated and implemented." (emphasis added) where the 'joint responsibility of 
..." and 'systematically collected...' corresponds to the compiling step is performed 
by particular members familiar since IT management is familiar with ...information 
...in... databases by virtue of their function.). 

Claim 21: 

Williams, as shown, describes and/or discloses the limitations of claim 19 as shown above. 
Williams further describes and/or discloses the following limitations. 

• communicating the plan to each of the operational units in the enterprise (Williams, in 
at least page 64, col. 2 states: "Take Management Level Action • Write the security 
policy , with business input (Policy Development); • Ensure that individual roles , 
responsibilities and authority are clearly communicated and understood by all." 
(emphasis added) where 'the security policy' corresponds to the plan, 
'ensure... individual roles...' corresponds to each operational unit within... and 'clearly 
communicated' corresponds with communicating the plan.). 
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Claim 22: 

Williams, as shown, describes and/or discloses the limitations of claim 19 as shown above. 

Williams further describes and/or discloses the following limitations. 

• the comprehensive plan involves developing business controls for addressing the 
respective significant issue (Williams, in at least page 60, col. 2 states: " These 
practices were intended to improve standards of corporate behaviour, strengthen 
business controls , and ensure accountability whilst retaining the essential spirit of the 
enterprise." (emphasis added) where 'these practices' corresponds to the 
comprehensive plan and 'strengthen business controls' corresponds to developing 
business controls. On page 62, col. 2, Williams further asserts that one of six major 
activities regarding security, a significant issue, is " Developing a security and control 
framework that consists of standards, measures, practices and procedures" 
(emphasis added) where 'developing' a 'control framework' also corresponds to 
developing business controls and 'framework' also corresponds to the 
comprehensive plan.). 
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Conclusion 

Applicant's amendment necessitated tlie new ground(s) of rejection presented in tiiis Office action. 
Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the 
extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the 
mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this 
final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened 
statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, 
and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the 
advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS 
from the date of this final action. 

Any inquiry of a general nature or relating to the status of this application or concerning this 
communication or earlier communications from the Examiner should be directed to Mark A. Fleischer 
whose telephone number is 571.270.3925. The Examiner can normally be reached on Monday-Friday, 
9:30am-5:00pm. If attempts to reach the examiner by telephone are unsuccessful, the Examiner's 
supervisor, Bradley Bayat whose telephone number is 571.272.6704 may be contacted. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see 

http://portal.uspto.gov/external/portal/pair <http://pair-direct.uspto.gov >. Should you have questions on 
access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll- 
free). Any response to this action should be mailed to: 

Commissioner of Patents and Trademarks 
P.O. Box 1450 
Alexandria, VA 22313-1450 
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or faxed to 571-273-8300. 

Hand delivered responses should be brought to the United States Patent and Trademark Office 
Customer Service Window: 

Randolph Building 
401 Dulany Street 
Alexandria, VA 22314. 



Mark A. Fleischer 
/Mark A Fleischer/ 
Examiner, Art Unit 3624 



5 November 2008 



/Bradley B Bayat/ 

Supervisory Patent Examiner, Art Unit 3624 



